This invention relates to the use of security token devices to secure data on computers, providing a dual factor method of user authentication, but doing so in such a manner that the token can be used to secure an unlimited number of volumes of encrypted data, each with a unique encryption key. The invention also provides a system whereby, at the user's discretion, others may also have access to the encrypted volume.
Traditionally, access to a computer is controlled by software which requires the user to login using a special password already known to the computer. If the password entered by the user matches the password previously registered with the computer, the user is allowed access to the system. Similarly, by entering the correct password, a user can log into a remote storage server where control software determines which files can be read or updated.
More recently, with the need to improve security, some computers require a user to have a hardware device to assist in the login process. This hardware token is usually a “smart card” or a Universal Serial Bus (USB) device. In either case, the token has the ability to store information or secrets in such a way that they can only be accessed in accordance with the programming inside of the device. In conventional use, the tokens store passwords used to log into computers and servers. To log in, a user must enter a PIN (Personal Identification Number) associated with the token. The token then unloads the secret user password and permits login. This security approach is better than just a password since access to the system requires “something you know”—the PIN, and “something you have”—the security token.
State-of-the-art products thus providing dual factor authentication suffer from deficiencies and limitations that limit the realization of their full potential and effectiveness.                First, if the token uses the same internally stored password to log into a large number of systems, anyone having that password would gain access to the entire system. On the other hand, if every system had a unique password, the token would need to store all of the passwords which would require more internal memory inside the device and still limit the number of systems that could be accessed.        Second, once a system has been secured by a token, if the token is lost or damaged, access to the system is lost along with protected data and information.        Third, current systems do not provide a scheme whereby access protected by a security token device can be managed in such a way that users can be organized into security groups, and each member of a group can share access to computers, servers, storage volumes, or protected facilities.        Fourth, since the method of limiting access to data on a computer or a server is limited by software programming intended to control access to the data, in the event that the security software has been breached, the intruding user gains access to the restricted files.        Fifth, the task of managing security levels and user passwords on a large number of servers becomes burdensome and unreliable. Complex and difficult to manage software is necessary, and even then provides a solution of only limited effectiveness.        